Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uncertain syntax for wildcard subject alt name under intermediate cert with name constraints #12250

Closed
nettnikl opened this issue Jan 7, 2025 · 7 comments · Fixed by #12253
Closed

Uncertain syntax for wildcard subject alt name under intermediate cert with name constraints #12250

nettnikl opened this issue Jan 7, 2025 · 7 comments · Fixed by #12253

Comments

@nettnikl
Copy link

nettnikl commented Jan 7, 2025

Not sure how to label this, sorry. Depending on the answer, this might be a feature request or a bug report.
I'm trying to create well formed and well behaved certificates under a custom CA + intermediate cert.

Wildcards are not meant to be used in the intermediate cert. (#8253)

But then, (how) can i achieve something like:

example.lan, *.example.lan  <- Cert
*.lan                       <- Intermediate (alternatively, better: example.lan, *.example.lan, example2.lan, *.example2.lan, ...)
*                           <- CA

I'd assume the CA has to have no nameConstraints.
But what to do with the intermediate then?

Allowing DNS:lan leads to: Certificate is NOT Trusted: validation failed: candidates exhausted: unsatisfiable DNS name constraint: malformed SAN *.example.lan
Allowing DNS:.lan leads to: Certificate is NOT Trusted: validation failed: candidates exhausted: malformed DNS name constraint: .lan
Allowing DNS:*.lan leads to: permitted subtree violation (by OpenSSL during creation)
Allowing DNS:example.lan leads to: Certificate is NOT Trusted: validation failed: candidates exhausted: unsatisfiable DNS name constraint: malformed SAN *.example.lan
Allowing DNS:example.lan + DNS:.example.lan leads to: Certificate is NOT Trusted: validation failed: candidates exhausted: unsatisfiable DNS name constraint: malformed SAN *.example.lan
Allowing DNS:example.lan + DNS:*.example.lan leads to: Certificate is NOT Trusted: validation failed: candidates exhausted: unsatisfiable DNS name constraint: malformed SAN *.example.lan

Are you sure we can/want to disallow wildcards in the constraints?
@alex
Copy link
Member

alex commented Jan 7, 2025

cc: @woodruffw

@woodruffw
Copy link
Contributor

@nettnikl DNS name constraints don't allow patterns like *.. If you want to allow arbitrary subdomains of a domain you can express the domain itself, per RFC 5280:

DNS name restrictions are expressed as host.example.com. Any DNS
name that can be constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint. For
example, www.host.example.com would satisfy the constraint but
host1.example.com would not.

In other words, in your case, I think you want a DNS name constraint of just lan on your root or intermediate CA. If you do that, the rest should work.

@alex alex added the waiting-on-reporter Issue is waiting on a reply from the reporter. It will be automatically cloesd if there is no reply. label Jan 7, 2025
@nettnikl
Copy link
Author

nettnikl commented Jan 7, 2025

In other words, in your case, I think you want a DNS name constraint of just lan on your root or intermediate CA. If you do that, the rest should work.

I did the following, what change do you propose @woodruffw ?

Allowing DNS:lan leads to: Certificate is NOT Trusted: validation failed: candidates exhausted: unsatisfiable DNS name constraint: malformed SAN *.example.lan

@alex
Copy link
Member

alex commented Jan 7, 2025

Can you provide some code for us to run, it's a bit hard to guess at what the problem is without context.

@alex
Copy link
Member

alex commented Jan 7, 2025

Oh, I think I see the problem: https://github.com/pyca/cryptography/blob/main/src/rust/cryptography-x509-verification/src/lib.rs#L159

DNSName doesn't allow a wildcard in the SAN. I think that needs to be a DNSConstraint?

@woodruffw
Copy link
Contributor

DNSName doesn't allow a wildcard in the SAN. I think that needs to be a DNSConstraint?

DNSPattern, but yep!

Confirming limbo case here: C2SP/x509-limbo#385

I'll look into a fix tonight.

@alex alex removed the waiting-on-reporter Issue is waiting on a reply from the reporter. It will be automatically cloesd if there is no reply. label Jan 7, 2025
@alex alex mentioned this issue Jan 8, 2025
Closed
woodruffw added a commit to woodruffw-forks/cryptography that referenced this issue Jan 8, 2025
@woodruffw
x509/verification: allow DNS wildcard patterns to match NCs
d923814 
Fixes pyca#12250.
@woodruffw woodruffw mentioned this issue Jan 8, 2025
Merged
@alex alex closed this as completed in 286c891 Jan 8, 2025
@nettnikl
Copy link
Author

nettnikl commented Jan 8, 2025

You guys are gold, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x509/verification: allow DNS wildcard patterns to match NCs woodruffw-forks/cryptography
3 participants
@alex @woodruffw @nettnikl